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Abstract 



The process of categorizing packets into "flows" in an Internet router is called packet 
classification. All packets belonging to the same flow obey a pre-defined rule and are processed in 
a similar manner by the router. For example, all packets with the same source and destination IP 
addresses may be defined to form a flow. Packet classification is needed for non "best-effort" 
services, such as firewalls aiwi quality of service; services that require the capability to distinguish 
and isolate traffic in different flows for suitable processing. In general, packet classification on 
multiple fields is a difficult problem. Hence, researchers have proposed a variety of algorithms 
which, broadly speaking, can be categorized as "basic search algorithms," geometric algorithms, 
heuristic algorithms, or hardware-specific search algorithms. In this tutorial we describe 
algorithms that are representative of each category, and discuss which type of algorithm might be 
suitable for different applications. 



1 Introduction 

Until recently. Internet routers provided only "best-effort" service, servicing packets in 
a first-come-first-served manner. Routers are now called upon to provide different quali- 
ties of service to different applications which means routers need new mechanisms such as 
admission control, resource reservation, per-floMf queueing, and fair scheduling- AU of 
these mechanisms require the router to distinguish packets belonging to different flows. 



Flows are specified by rules applied to incoming packete. We call a collection of rules 
a classifier. Each rule specifies a flow that a packet may belong to based on some criteria 
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L2 = Layer 2 (c.g., Ethernet) 
L3 = Layer 3(e.g.. IP) 
L4 = Layer 4(e.g., ICP) 



DA -Destination Address 
S A = Source Address 
PRar = Protocol 
SP= Source Port 
DP ^Destination Port 

Figure 1 Thifi figure i^haw^ fiome of the header field* (and U.cir widihs) that might be us6d fof classifvine 
used' applicaUon-Iellel) headers^ 2 



applied to the packet header, as shown in Figure 1. To illustrate the variety of classifiers, 
consider some examples of how packet classification can be used by an ISP to provide dif- 
ferent services. Figure 2 shows ISP, connected to three different sites: enterprise networks 
E, and E2 and a Network Access Point* (NAP), which is in turn connected to ISPj and 
ISP3. ISPi provides a number of different services to its customers, as shown in Table 1 . 

TABLE 1. 



Service 


Example 


Packet Filtering 


Deny all traffic from fSPj (on interface ;0 destined to 


Policy Routing 


Send ait voice-over-IP traffic arriving from E, (on interface Y) and 
destined to Ej via a separate ATM networic 


Accounting Sl Billing 


Treat all video traffic to E, (via interface Y) as highesr priority and 
perform accounting for the traffic sent diis way. 


Traffic Rate Limiting 


Ensure that ISPj does not inject more than 1 0Mbps of email traffic 
and 50Mbps of total traffic on interface X. 


Traffic Shaping 


Ensure that no more than 50Mbps of web traffic is injected into ISP, 
on interface X, 



Figure 2 Example network of an ISP (ISPi) connected to two enterprise networks (E| and and to two 
other iS? networks across a network access point (NAP). 



Table 2 shows the flows that an incoming packet must be classified into by the router 
at interface X. Note that the flows specified may or may not be mutually exclusive. For 

TABLE 2. 



Flow 


Relevant Packet Fields: 


Email and from ISP2 


Source Link-layer Address. Source Transport port number 


From ISP2 


SoiiFHR IJnk>layer Address 


From tSPj and going to Ej 


Source Link-layer Address, 
Destination Network-Layer Address 


All other packets 





example, the first and second flow in Table 2 overlap. This is common in practice, and 
when no explicit priorities are specified, we follow the convention that rules closer to the 
top of the list take priority. 

1.1 Problem statement 

Each rule of a classifier has d components. R [i] is the i^* component of rule /?, and is 
a regular expression 011 ilic 1'* field of the packet header. A packet P ts said to match rule 
R, if V( , the field of the header of P satisfies the regular expression R[i] . In practice, a 
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rule component is not a general regular expression but is often iimited by syntax to a sim- 
ple address/mask or operator/number{s) specification. In an address/mask specification, a 
0 (respectively I) at bit position x in the mask denotes that the corresponding bit in the 
address is a don't care (respectively significant) bit. Examples of operator/numbcr(s) spec- 
ifications are eq 1232 and range 34-9339. Note that a prefix can be specified as an address/ 
mask pair where the mask is contiguous — i.e., all bits with value 1 appear to the left of 
bits with value 0 in the mask. It can also be specified as a range of width equal to 2' where 
! = 32- prefixlength. Most commonly occurring specifications can be represented by 
ranges. 

An example rcal-Ufc classifici lit fuur dimensions is shown in Table 3. By convention, 
the first nile Rl is of highest priority and rule R7 is of lowest priority. Some example clas- 
sification results arc shown in Tabic 4. 
TABte 3. 



Rule 


Network-layer 
Destination (address/ 
mask) 


Network-layer Source 
(address/raask) 


Transport- 
layer 
Destination 


Transport- 
layer 
Protocol 


Action 


Rl 


l52.lb3.IV0.69/ 
255.255.235.255 


152.163.80.11/ 
255.255.255.255 


* 


* 


Deny 


R2 


152.168.3.0/ 

255.255.255.0 


152.163.200.157/ 

255.255.255.255 


eq www 


udp 


Deny 


R5 


152.163.198,4/ 
255.255.255.255 


152.163.160.0/ 
255.255.252.0 


St 1023 


tcp 


Permit 


R6 


0.0.0.0/0.0.0.0 


. 0.0.0.0rt).0.0.0 




* 


Permit 



TABLE 4. 



Packet 
Header 


Network-layer 
Destination 


Network-layer 
Source 


Transport- 
layer 
Destination 


Transport- 
layer 
Protocol 


Best matching 
rule. Action 


PI 


152.163.190.69 


152.163.80.11 


www 


tcp 


Rl,Deny 


P2 


I52.I68.3.2I 


152.163.200.157 


www 


udp 


R2.Deny 


P3 


152.168.198.4 


152.163,160.10 


1024 


icp 


R5. Permit 
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Longest prefix matching for routing lookups is a special-case of one-dimensional 
packet classification. All packets destined to the set of addresses described by a common 
prefix may be considered to be part of the same flow. The address of the next hop where 
the packet should be forwarded to is the associated action. The length of the prefix defines 
the priority of the rule. 

2 Performance metrics for classification algorithms 

• Search speed — Faster links require faster classification. For example, links run- 
ning at lOGbps can bring 31.25 million packets per second (assuming minimum 
sized 40 byte TCP/BP packets). 

• Low storage requirements — Small storage requirements enable the use of fast 
memory technologies like SRAM (Static Random Access Memory). SRAM can 
be used as an on-chip cache by a software algorithm and as on-chip SRAM for a 
hardware algorithm. 

• Ability to handle large real-life classifiers. 

• Fast updates — As the classifier changes* the data structure needs to be updated. 
We can categorize data structures into those which can add or delete entries incre- 
mentally, and those which need to be reconstructed fi'om scratch each time the 
classifier changes. When the data structure is reconstructed firom scratch, we call 
it "pre-processing**. The update rate differs among different applications: a very 
low update rate may t>e sufficicni in firewalls whcie entries are added meuiually or 
infrequently, whereas a router with per-flow queues may require very frequent 
updates. 

• Scalability in the number of header fields used for classification, 

• Flexibility in specification — A classification algorithm should support general 
rules, including prefixes^ operators (range, less than, greater than, equal to, etc.) 
and wildcards. In some applications, nuu-curiilguous^ masks may be required. . 
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3 Classification algorithms 
3.1 Background 

For the next few sections, we will use the example classifier in Table 5 repeatedly. The 
classifier has six rules in two fields labeled F\ and F2 \ each specification is a prefix of 
maximum length 3 bits. We will refer to the classifier as C = {Rj} and each rule Rj as a 
?.-tuple: (/?y,./?y2>. 
TABLE 5. 



Rule 


Fl 


F2 




GO* 


00* 




0* 


01* 


/?3 


1* 


0* 




00* 


0* 


^3 


0* 


1* 


^6 


# 


I* 



3.1.1 Bounds from Computational Geometry 

There is a simple geometric interpretation of packet classification. While a prefix rep- 
resents a contiguous interval on the number line, a two-dimensional rule repi^sents a rect- 
angle in two-dimensional cuclidcan spacc» and a rule in d dimensions represents a rf- 
dimensional hyper-rectangle. A classifier is therefore a collection of prioritized hyper- 
rectangles, and a packet header represents a point in d dimensions. For example. Figure 3 
shows the classifier in Table 5 geometrically in which high priority rules overlay lower 
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Figure 3 Geometric represciitaUon of the classifier in Table 5. A packet represents a point, for instance 
P(01 1 , 1 1 0), in two-di mensional space» Note that R4 is hidden by Rl and R2. 

priority rules. Classifying a packet is equivalent to finding the highest priority rectangle 
that contains the point representing the packet. For example, point P(Oll.llO) in Figure 3 
would be classified by rule R^. . 

There are several standard geometry problems such as ray shooting, point location and 
rectangle enclosure that resemble packet classification. Point location involves finding the 
enclosing region of a point, given a set of non-overlapping regions. The best bounds for 
point location in N rectangular regions and ^> 3 dimensions are 0(logAO time with 
Oil/) space;* or 0((logN)^^ *) time with 0(N) space [71[8]. In packet classification, 
hyper-rectangles can overlap making classification at least as hard as point location. 
Hence, a solution is either impracticably large (with 100 rules and 4 fields, space is 
about lOOMBytes) or too slow ((logAO''" ' is about 350 memory accesses). 

We can conclude that: (1) Multi-field classification is considerably more complex than 
one-dimensional longest prefix matching, and (2) Complexity may require that practical 
solutions use heuristics. 



I. The lime bound for S3 is 0{\og\ogN) (7J but has large consiant faciors. 
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3.1.2 Range Lookups 

Packet classification is made yet more complex by the need to match on ranges as weJI 
as prefixes. A range lookup for a dimension of width W bits can be defined as: 

DeDnition 1: Given a set of N disjoint ranges C = { G. = } that form a partition of 

w 

the number line 102 - 1] . i.e., I. and are such that 

/j =0,/.<u,/.^j =«.+ !, £i^ = 2 -\; the range lookup problem is to find the 
range (and any assoriated information) that contains an incoming point P. 

To assess the increased complexity of ranges, we can convert each range to a set of 
prefixes (a prefix of length s corresponds to a range [/, u] where the {W^s) least signif- 
icant bits of / are all 0 and those of « arc all 1) and use a longest prefix matching algo- 
rithm [ref tutorial paper in same issue]. Table 6 shows some examples of range-to-prefix 
conversions for = 4 . 



TABLE 6. 



Range 


Constituent Prefixes 


[4.7J 




{3.81 


OpII.OI*MO0O 


[M41 


0001, 001*. 01**, 10**. no*, 1110 



A H'-bit range can be represented by at most ZW^-l prefixes (see the last row of lable 
6 as an example) which means a prefix matching algorithm can find ranges with 2W times 
as much storage. Feldman and Muthukrishnan [3] show a rcduuiion of ranges to prefix 
lookup with a two-fold storage increase that can be used in some specific multi-dimen- 
sional classification schemes. 
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3.2 Taxonomy of classification algorithms 

The classificalion algorithms we will describe here can be categorized into the four 
classes shown in Table 7. 

TABLE 7, 



Category 


Algorithms 


Basic data 
stnictures 


Linear search, caching, hierarchical tries, set-pruning 
tries 


Geometry- 
based 


Grid-oMrics.A<yr»FK 


Heuristic 


RFC. hierarchical cuttings, tuple-space search 


Hardware only 


Ternary CAM. bitmap-intersection 



We now proceed. to describe representative algorithms from each class. 

33 Basic data structures 
3^.1 Linear seardi 

The simplest data structure is a linked-Ust of rales stored in order of decreasing prior- 
ity. A packet is compared with each rule sequentially until a rule is found iliai uiatchcs all 
relevant fields. While simple and storage-efficient, this algorithm clearly has poor scaling 
properties; the time to classify a packet grows linearly with the number of rules. 

3.3.2 Hierarchical tries 

A -dimensional hierarchical radix trie is a simple extension of the one dimensional 
radix trie data structure, and is constructed recursively as follows. If d is greater than I, 
we first construct a l-dimensional trie, called the FX -trie, on the set of prefixes 
belonging to dimension F\ of all rules in the classifier. C = [Rj} For each prefix, p , in 
the F\ -trie, we recursively consmict a (rf- 1 ) -dimensional hierarchical trie, r^, on those 
rules which specify exactly p in dimension FX , i.e., on the set of rules { RjiRj^ = p} . Pre- 
fix p is linked to the trie using a next-trie pointer. The storage complexity of the data 
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search path 



Fl-trie 




F2-tries 

Figure 4 A hieiaichical trie data stnicture. The gray pointers are the "next-trie" pointers. The path 
traversed by the queiy algorithm on an incoming packe t (OOP. OIQ) is shown. 

Structure for an A^-rale classifier is CKNdW) . The data structure for the classifier in Table 5 
is shown in Figure 4. Hierarchical tries are sometimes called "multi-level tries", "back- 
tracking-search tries", or "trie-of-lries". 

Classification of an incoming packet (w,. w^) proceeds as follows. The query 
algorithm first traverses the Fl -trie based on the bits in . At each Fl -trie node encoun- 
tered, the algorithm follows the ucxt-trie pointer (if present) and traverses the (rf - 1)- 
dimensional trie. The query time complexity for ^-dimensions is therefore . Incre- 
nnental updates can be carried out similarly in O(d^W) time Since each component of the 
updated rule is stored in exactly one location at maximum depth 0(dW} . 

333 Set-pruning tries 

A set-pmning trie data stnicture [12] is similar, but with reduced query time obtained 
by replicating rules to eliminate recursive traversais. The data stnicture for the classifier 
Tkble 5 is shown in Figure 5. The query algorithm for an incoming packet (v . v . v ) 
need only traverse the Fl -trie to find the longest matching prefix of vl , follow its next- 
trie pointer (if present), traverse the f2-trie to find the longest matching prefix of i^l . and 
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Figure 5 A set-pruning trie data sirucuire. The gray pointisre aie the "next-trie" pointere. The path 
traversed by the qu ery alRorithm on an incoming packet (OOP, 010) is showiL 

SO on for all dimensions. The rules are replicated to ensure that every matching rule will 
be encountered in the path. The query time is reduced to 0{dW) at the expense of 
increased storage of 0{f/dW) since a rule may need to be replicated 0(y/) times. Update 
complexity is 0(A^) . and hence, this data smicnire works only for relatively static clodsifi 
ers. 

3.4 Geometric algorithms 
Crid-of-trias 

The grid-of-tries data structure, proposed by Srinivasan et al [10] for 2-dimensional 
Classiftcaiion, reduces storages space by allocating a rule to only one trie node as in a hier- 
archical trie, and yet achieves 0{W) query time by pre-computing and storing a switch 
pointer in some trie nodes. A switch pointer is labeled with *0' or T and guides the 
search process. The conditions which must be satisfied for a switch pointer labeled b {b = 
•0' or ' r) to exist from a node w in the trie to a node x of another trie are (siee Fig- 
ure 6): 
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Figure 6 The condiUons under which a switch pointer exists from node w to x. 



1. and are distinct tries built on the prefix components of dimension F2 . r 
and are pointed to by two distinct nodes, say r and s respectively of the same 
trie, T, built on prefix components of dimension Fl . 

2. The bit-string that denotes the path from the root node to node w in trie T con- 
catenated with the bit h is identical to the bit-string that denotes the path from the 
root node to node x in the trie r^. 

3. Node w does not have a child pointer labeled b , and 

4. Node s in trie T is the closest ancestor of node r that satisfies the above condi- 
tions. 

If the query algorithm traverses paths C/l(j, root (7 ) , y, jc) and U2(r, root (TJ . w) in 
a hierarchical trie, it need only traverse the path (j. r. root (T J, w,x) on a grid-Of-tries. 
This is because paths Ul and U2 are identical (by condition 2 above) till U\ terminates 
at node w because it has no child branch (by condition 3). The switch pointer eliminares 
the need for backtracking in a hierarchical trie without the storage of a set-pruning trie. 
Fanh bit of the packet header is examined at most once, so the time complexity reduces CO 
0(W) , while storage complexity OINW) is the same as a 2-dimensional hierait:hical trie. 
However, switch pointers makes incremental updates difficult, 3o the authors [10] recom- 
mend rebuilding the data structure (in time 0(NW)) for each update. An example of the 
grid-of-tries data structure is shr^wn in Figure 7. 
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searchpaih ^^S^-^ , Fl-trie 




F2-tries 



R2 

Figure 7 The grid-oMries data structure. The switch pointers are shown dashed. The path traversed by the 
qoery algorithm on an incoming packet (OOP, 010) is shown. ^ 

Reference [10] reports 2MBytes of storage for a 20,000 two-dimensional classifier 
with destination and source IP prefixes. lUe stride of the destination (source) prefix trie 
was 8 (5) bits respectively, leading to a maximum of 9 memory accesses. 

Grid-of-tries works well for two dimensional classification, and can be used for the 
last two dimensions of a multi-dimensional hierarchical trie, decreasing the classification 
time complexity by a factor of W to 0(NW^^ V As with hierarchical and set-pruning 
tries, grid-of.tries handles range specifications by splitting into prefixes. 

3A2 Cross-producting 

Cross-producting [10] is suitable for an arbitrary number of dimensions. Packets are 
classified by composing the results of separate l-dimcnsional range lookups for each 
dimension as explained below. 

Constructing the data structure involves computing a set of rangeR. G^, of size 
^it 1^*1' projected by rule specifications in each dimension k,\^k^d. Let z^. 
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Figure 8 The table produced by the crossproduciing algorithm and its geoitietric 



I iJSs^. denote the /* range in . A cross-product table Cj. of size f[ is con- 

structed, and the best matching rule for each entry (r',', r{. .... r'^). l^i^is^.l<.k^d is 
pre-computcd and stored. Classifying a packet ( involves a range lookup in 

each dimension k to identify the range r'^ containing point v,. . The tuple <r',', r'^ 
is then found in the cross-product table Cj. which contains the pt«-computed best match- 
ing rule. Figure 8 shows an example. 

Given that N prefixes leads to at most 2Af- 2 ranges, <: 2N and is of size (K/^) . 
The lookup time is 0(dt^^) where r^,^ is the time complexity of finding a range in one 
dimension. Because of its high worst case storage complexity, cross-producting is suitable 
for very small classifiers. Reference [10] proposes using an on-demand cross-producting 
scheme together with caching for classifiers bigger than 50 rules in five dimensions. 
Updates require reconstruction of the cross-product table, and so cross-producting is suit- 
able for relatively static classifiers. 



lepiesentation. 
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- R4 " 

Figure 9 The data structure of Section 3.4.3 for Che example classifier of Table 5. The search path for 
example packet P(On . 1 10) resulting in R5 is also shown. 

3,43 A 2-dimensional classification scheme L6J 

Lakshman and Stilladis [6] propose a 2>dimensional ctds^iincation algorithm where 
one dimension, say Ft , is restricted to have prefix specifications while the second dimen- 
sion, F2 , is allowed to have arbitrary range specificaiioiis. Tlic data suuctuie first builds a 
trie on the prefixes of dimension F\ , and then associates a set of non-overlapping 
ranges to each trie node, w, thai represents prefix p . Tlicsc laiiges aic created by (possibly 
overlapping) projections on dimension F2 of those rules, 5^, that specify exactly p in 
dimension Fl . A range lookup data structure (e.g., an array or a binary scaich tree) is then 
constructed on and associated with trie node h^. An example is shown in Rgure 9. 

Searching for point P{v^,v^ involves a range lookup in data structure for each trie 
node, w, encountered. The search in returns the range containing , and hence the 
best matching rule. The highest priority rule is selected from the rules {RJ^ for all trie 
nodes encountered during the traversal. 

The storage complexity is 0{NW) because each rule is stored only once in the data 
structure. Queries take 0{y/\o%N) time because an 0{\ogtf) range lookup is performed for 
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Figure 10 A quadtree constructed. by decomposition of two^imenstonal space. Each decomposition 
resulLs in four quadrante. 

every node encountered in the FX -trie. This can be reduced to C>(W+ log/V) using frac- 
tional cascading [1], but that makes incremental updates impractical. 

3A4 Area-based quadtree 

The Area-based Quadtree (AQT) was proposed by Buddhikoi et al [2] for two-dimen- 
sional classification. AQT allows incremental updates whose complexity can he traded off 
with query time by a tunable parameter. Each node of a quadtree [1] represents a two 
dimensional space that is decomposed into four equal sized quadrants, each of which is 
represented by a child node. The initial two dimensional space is recursively decomposed 
into four equal-sized quadrants til! each quadrant has at most one rule in it (Figure 10 
shows an example of the decomposition). Rules are allocated to each node as follows. A 
rule is said to cross a quadrant if it completely spans at least one dimension of the quad- 
rant. For instance, rule R6 spans the quadrant represented by the root node in Figure 10. 
while R5 does not. If we divide the 2-dimensional space into four quadrants, rule R5 
crosses the north-west quadrant while rule R3 crosses the south-west quadrant We call the 
set of rules crossing the quadrant represented by a node in dimension it , the Jt -crossing fil- 
ter set (fc -CFS) of that node. 
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Figure 11 An AQT data stnjcture. The path traversed by the query algorithm for an incoming packet 
P(00 1,010) , yields R 1 as the best matching nile. 

Two instances of the same data structure are associated with each quadtree node — 
each stores the rules in k-CFS (* = 1, 2). Since rules in crossing filter sets span at least 
one dimension, only the range specified in the other dimension need be stored. Queries 
proceed two bits at a time by transposing one bit from each dimension, with two 1-dimen- 
sional lookups being performed (one for each dimension on *-CFS) at each node. Figure 
11 shows an example. 

Reference [2] proposes an efficient update algorithm that, for N two-dimensional 
rules, has O(yvw) space complexity. 0(aW) search time and 0(a^ update time, where 
a is a tunable integer parameter. 

3.4^ Fat Inverted Segment tree (FIS-tree) 

Feldman and Muthukrishnan [3] propose the Fat Inverted Segment tree CFIS-tree) for 
two dimensional classification as a modification of a segment tree. A segment tree [l] 
stores a set S of possibly overlapping line segments to answer queries such as.finding the 
highest priority line segment containing a given point. A segment tree is a balanced binary 
search tree containing the end points of the line segments in S, Each node, represents a 
range G^^, , leaves represent the original line segments in S , and parent nodes represent the 
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Figure 12 The segment tree and the 2-level FlS-cree for the classifier of Table 5. 



union of the ranges represented by their children. A line segment is allocated to a node w 
if it contains but not G^^^^^^y The highest priority line segment allocated to a node 
is pre^omputed and stored at the node. A query traverses the segment tree from the root, 
calculating the highest priority of all the pre-computed segments encountered. Figure 12 
shows an example segment tree. 

An FIS-tree is a segment tree with two modifications: (i) The segment tree is com- 
pressed (made "fat" by increasing the degree to more than two) in order to decreasR its 
depth and occupies a given number of levels i, and (2) Up-pointers from child to parent 
nodes are used. The data structure for 2-dimensions consists of an FIS-tree on dimension 
F I and a range lookup data associated with each node. An instance of the range lookup 
data structure associated with node w of the RS-tree stores the ranges formed by the f2 - 
projections of those classifier mies whose Fl -projections were allocated to 
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A query for point P(vpVj) first solves the range lookup problem on dimension F\ , 
This returns a leaf node of the HS-tree representing the range containing the point . The 
query algorithm then follows the up-pointers from this leaf node towards the root node, 
carrying out 1 -dimensional range lookups at each node. The highest priority rule contain- 
ing the given point is calculated at the end of the traversal. 

Queries on an /-level FIS-tree havts cuniplcxity 0((/ + l ) ^^^) v/ith storage complexity 
0{ln * where /^^ is the time for a 1 -dimensional range lookup. Storage space can be 
traded off with search time by varying / . Modifications to the FlS-trcc are necessary to 
support incremental updates — even then, it is easier to support inserts than deletes [3]. 
The static FIS-tree can be extended to multiple dimensions by building hierarchical FIS- 
trees, but the bounds are similar to other methods studied earlier [3]. 

Measurements on real-life 2-dimensiona! classifiers are reported in [3] using the static 
FIS-tree data structure. Queries took 15 or less memory operations with a two level tree, 
4-60K rules and SMBytes of storage. Large classifiers with one million 2-dimensional 
rules required 3 levels, 18 memory accesses per query and lOOMBytes of storage. 

3.5 Heuristics 

As we saw in Section 3.1 .1, the packet classification problem is expensive to solve in 

the worst-case theoretical bounds state that solutions to multi-field classification either 

require storage that is geometric, or a number of memory accesses that is polylogarithmic, 
in the number of classification rules. We can expect that classifiers in real networks have 
considerable structure and redundancy that might be exploited by a heuristic. That is the 
motivation behind the algorithms described in this section. 
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Phase 0 Phase 1 Phase 2 Phase 3 



Figure 13 Showing the basic idea of Recuisive Flow CJassification. The red..cHon h carried out in 
muluple phases, with a reduction in phase / being carried out recursively on the image of the phase /-/ The 
example shows the mapping of 2-^ bits to 2^ bits in 3 phases. 

3.5.1 Recursive Flow Classification (RFQ 

RFC [4] is a heuristic for packet classification on nnultiple fields. Classifying a packet 
involves mapping S bits in the packet header to a 7* bit action identifia: where T = \ogN, 
r « 5 . A simple, but impractical method could pre^ompute the action for each of the 2*^ 
different packet headers, yielding the action in one step. RFC attempts to perform the 
same mapping over several phases, as shown in Figure 13; at each stage the algorithm 
maps one set of values lo a smaller set. In each phase a set of memories return a value 
shorter (i.e., expressed in fewer bits) than the index of the memory access. The algorithm, 
illustrated in Figure 14, operates as follows: 

1 . In the first phase, d fields of the packet header are split up into multiple chunks 
that are used to index into multiple memories in parallel. The contents of each 
memory are chosen so that the result of the lookup is narrower than the index. 

2. In subsequent phases, memories are indexed using the results from earlier 
phases. 

3. In the final phase, the memwy yields the action. 

The algorithm requires construction of the contents of each memory, detailed in [4], 
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' Phase 0 Phase 1 Phase 2 Phase 3 



F igure 14 Packet flow in RFC. ^ 

Reference [4] reports that with real-life four-dimensional classifieni of up lo 1700 
rules, RFC appears practical for lOGbps line rates in hardware and 2.5Gbps'rates in soft- 
ware. HoAvever, the storage space and pre-processing lime grow rapidly for classifiers 
larger than about 6000 rules. An optimization described in [4] reduces the storage require- 
ment of a 15,000 four-field classifier to below 4MBytes. 

3.5»2 Hierarchical Intelligent Cuttings (HiCuts) 

HiCuts [5] partitions the mulli-dimensional search space guided by heuristics that 
exploit the structure of the classifier. Each query leads to a leaf node in the HiCuts tree, 
which stores a small number of rules that can be searched sequentially to find the best 
match. The characteristics of the decision tree (its depth, degree of each node, and the 
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Figure 15 A possible HiCuls tree for che example classifier in Table 5. Each ellipse in the tree denotes an 
internal node v with a tuple (size of 2-dimensional space represented, dimension to cut across, number of 
children). Each square is a leaf node which contains the actual classifier rules. 



local seatich decision to be made at each node) are chosen while preprocessing the classi- 
fier based on its characteristics (see [5] for the heuristics used). 

Each node, of the tree represents a portion of the geometric search space. The root 
node represents the complete dimensional space, which is partitioned into smaller geo- 
metric sub-spaces, represented by its child nodes, by cutting across one of the d dimen- 
sions. Each sub-space is recursively partitioned until no sub-space has more than B rules, 
where J? is a tunable parameter of the pre-processing algoritlim. An example is Shown in 
Figure 15 for two dimensions with B ^ 2. 

Parameters of the HiCuts algorithm can be tuned to trade-off query time against stor- 
age requirements. On 40 real-life four-dimensional classifiers with up to 1700 rules, 
HiCuts requires less than 1 MByte of storage with a worst case query time of 20 memory 
accesses, and supports fast updates. 
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Figure 1^ The tuples and »;5iociated hash tables in the tuple space search scheme for the example 
classifier of Table 5. 



3^3 TUpIc Space Search 

The basic tuple space search algorithm (Sun et al [11]) decomposes a classification 
query into a number of exact match queries. The algorithm tirst maps each d -dimensional 
rule into a -tuple whose i'* component stores the length of the prefix specified in the i'* 
dimension of the rule (the scheme supports only prefix specifications). Hence, the set of 
rules mapped to the same tuple are of a fixed and known length, and can be stored in a 
hash table. Queries perform exact match operations on each of the hash tables correspond- 
ing to all possible tuples in the classifier. An example is shown in Figure 16. 

Query lime is M hashed memory accesses, where M is the number of tuples in the 
clas-sifier. Storage complexity is OiN) since each rule is stored in exactly one hash table. 
Incremental updates are supported and require just one hashed memory access to the 
hashed table associated with the tuple of the modified rule. In summary, the tuple space 
search algorithm performs well for multiple dimensions in the average case if the number 
of tuples i.s small. However, the use of hashing makes the time complexity of searches and 
updates non-deterministic. The number of tuples could be very large, up to 0(M^) , in the 
worst case. Fiirthermore. since the scheme supports only prefixes, the storage complexity 
increases by a factor of O(M^) for generic rules as each range could be split into 0(W) 
prefixes in the manner explained in Section 3.1 .2. 
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Figure 17 The lookup operation using a temaiy CAM. 



3.6 Hardware-based algorithms 
3.6*1 Ternary CAMs 

A TCAM stores each »V-bit field as a (va/, mask) pair; where val and mask are each 
M^-bit numbers. For example, if IV = 5 , a prefix 10* will be stored as the pair (lOOOO, 
1 1000). An element matches a given input key by checking if those bits of val for which 
the mask bit is ' T, match those in the key. 

A TCAM is used as shown in Figure 17. The TCAM memory array stores rules in 
decreasing order of priorities, and compares an input key against every element in the 
array in parallel. The A/ -bit bit-vector» matched, indicates which mJes match and so the 
bit priority encoder indicates the address of the highest priority match. The address i.q used 
to index into a RAM to find the action associated with this prefix. 
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TCAMs are being increasingly deployed because of their simplicity and speed (the 
promise of single clock-cycle classification). Several companies produce 2Mb TCAMs 
capable of single and multi-field classification in as little as 10ns. Both faster and denser 
TCAMs can be expected in the near future. There are, however, some disadvantages to 
TCAMs: 

1. A TCAM is less dense than a RAM, storing fewer bits in the same chip area. 
One bit in an SRAM typically requires 4-6 transistors, while one bit in a TCAM 
requires 11-15 transistors [9]. A 2Mb TCAM running at 100 MHz costs about $70 
today, while 8 Mb of SRAM running at 200 MHz costs about $30. Furthermore, 
range specifications need to be split into multiple masks, reducing the number of 
entries by up to (2 VV- 2) ^ in the worst case. If only two 16-bit dimensions specify 
ranges, this is a multiplicative factor of 900. Newer TCAMs, based on DRAM 
technology, have been proposed and promise higher densities. One unresolved 
issue with DRAM-based CAMs is the detection of soft errors caused by alpha par- 
ticles. 

2. TCAMs dissipate more power than RAM solutions because an address is com- 
pared against every TCAM element in parallel. At the time of writing, a 2 Mb 
TCAM chip running at 50 MHz dissipates about 7 watts [13](14]. In comparison, 
an 8Mb SRAM running at 200 MHz dissipates approximately 2 watts [15]. 

TCAMs are appealing for relatively small classifiers, but will probably remain unsuit- 
able in the near future for: (1) Laige classifiers (2S6K-IM rules) used for microflow rec- 
ognition at the edge of the network, (2) Large classifiers (t28-256K rules) used at edge 
routers that manage thousands of subscribers (with a few rules per subscriber), (3) 
Extremely high speed (greater than 2(X)Mpps) classification, and (4) Price-sensitive appli- 
cations. 

3.6*2 Bitmap-intersection 

The bitmap-Intersection classification scheme, prupused in [6], is based on the obser- 
vation that the set of rules. 5, that match a packet is the intersection of d sets, 5,., where 
S. is the set of rules that match the packet in the t dimension alone. While cross-pro- 
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Query on P(011,010): 



010011 Dimension I bitmap 
0001 11 D imension 2 bitmap 
000011 

RS Best matching rule 

Figure 18 Bitmap tables used in the "bitmap-intersection" classification scheme. See Figure 8 for a 
description of the ranges. Also shown is classification query on an exam ple packet P(OI 1 , 1 10). 

ducting pre-computes S and stores the best matching rule in 5. this scheme computes 5 
and the best matching rule during each classification operation. 

In order to compute intersection of sets in hardware, each set is encoded as an AT -bit 
bitmap with each bit corresponds to a rule. Tiie set of matching rules is the set of rales 
whose corresponding bits are T in the bitmap. A query similar to cross-producting: 
First, a range lookup is perfomied in each of the d dimensions. Each lookup returns a bit- 
map representing the matching rules (pre-computed for each range) in that dimension. The 
sets are intersected (a simple bit-wise AND operation) to give the set of matching rules, 
from which the best matching rule is found. See Figure 18 for an example. 

Since each bitmap is N bits wide, and there are 0(W) ranges io each of d dimensions, 
the storage space consumed is 0{dtt^. Query time is 0{dtnL*dN/w) where r^^ is the 
time to do one range lookup and is the memoiy width. Time complexity can be reduced 
by a factor of d by looking up each dimension independently in parallel. Incremental 
updates are not supported. 

Reference [6] reports that the scheme can support up to 5 12 rules with a 33 MHz field- 
programmable gate array and five IMbit SRAMs, classifying IMpps. The scheme work.^ 
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well for a small number of rules in multiple dimensions, but suffers from a quadratic 
increase in storage space and linear increase in classification time with the size of the clas- 
sifier. A variation is described in [6] that decreases storage at the expense of increased 
query time. 

3.7 Summary of classificaUon schemes 



TABLE 8. 
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